Snort mailing list archives
Is this possible answer to the problem?
From: Peter Rodger <prodger2008 () yahoo com>
Date: Wed, 26 Oct 2005 11:48:35 -0700 (PDT)
Hi All,
The below is the part of output from snort -c -l
Ypu can tell 60% packets are dropped. could this be
the reason I can not suppress
suppress gen_id 122, sig_id 27
suppress gen_id 122, sig_id 19
suppress gen_id 119, sig_id 4
Even I changed only span one VLAN, still 60-70%
packets are dropped.
Snort received 14747 packets
Analyzed: 6016(40.795%)
Dropped: 8731(59.205%)
===============================================================================
Breakdown by protocol:
TCP: 5955 (40.381%)
UDP: 52 (0.353%)
ICMP: 0 (0.000%)
ARP: 0 (0.000%)
EAPOL: 0 (0.000%)
IPv6: 0 (0.000%)
IPX: 0 (0.000%)
OTHER: 6 (0.041%)
DISCARD: 0 (0.000%)
****************************************************
The whole output:
D:\win-ids\Snort\bin>snort -c
"d:\win-ids\snort\etc\snort.conf" -l "d:\win-ids\s
nort\log"
Running in IDS mode
Initializing Network Interface
\Device\NPF_{068F010E-6C94-4163-9C52-15551BFD66A9
}
--== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface
\Device\NPF_{068F010E-6C94-4163-9C52-15551BFD66A9
}
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file d:\win-ids\snort\etc\snort.conf
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
,-----------[Flow Config]----------------------
| Stats Interval: 0
| Hash Method: 2
| Memcap: 10485760
| Rows : 4099
| Overhead Bytes: 16400(%0.16)
`----------------------------------------------
No arguments to frag2 directive, setting defaults to:
Fragment timeout: 60 seconds
Fragment memory cap: 4194304 bytes
Fragment min_ttl: 0
Fragment ttl_limit: 5
Fragment Problems: 0
Self preservation threshold: 500
Self preservation period: 90
Suspend threshold: 1000
Suspend period: 30
Stream4 config:
Stateful inspection: ACTIVE
Session statistics: INACTIVE
Session timeout: 30 seconds
Session memory cap: 8388608 bytes
State alerts: INACTIVE
Evasion alerts: INACTIVE
Scan alerts: INACTIVE
Log Flushed Streams: INACTIVE
MinTTL: 1
TTL Limit: 5
Async Link: 0
State Protection: 0
Self preservation threshold: 50
Self preservation period: 90
Suspend threshold: 200
Suspend period: 30
Enforce TCP State: INACTIVE
Midstream Drop Alerts: INACTIVE
Stream4_reassemble config:
Server reassembly: INACTIVE
Client reassembly: ACTIVE
Reassembler alerts: ACTIVE
Zero out flushed packets: INACTIVE
flush_data_diff_size: 500
Ports: 21 23 25 53 80 110 111 143 513 1433
Emergency Ports: 21 23 25 53 80 110 111 143 513
1433
HttpInspect Config:
GLOBAL CONFIG
Max Pipeline Requests: 0
Inspection Type: STATELESS
Detect Proxy Usage: NO
IIS Unicode Map Filename:
d:\win-ids\snort\etc\unicode.map
IIS Unicode Map Codepage: 1252
DEFAULT SERVER CONFIG:
Ports: 80 8080 8180
Flow Depth: 300
Max Chunk Length: 500000
Inspect Pipeline Requests: YES
URI Discovery Strict Mode: NO
Allow Proxy Usage: NO
Disable Alerting: NO
Oversize Dir Length: 500
Only inspect URI: NO
Ascii: YES alert: NO
Double Decoding: YES alert: YES
%U Encoding: YES alert: YES
Bare Byte: YES alert: YES
Base36: OFF
UTF 8: OFF
IIS Unicode: YES alert: YES
Multiple Slash: YES alert: NO
IIS Backslash: YES alert: NO
Directory Traversal: YES alert: NO
Web Root Traversal: YES alert: YES
Apache WhiteSpace: YES alert: NO
IIS Delimiter: YES alert: NO
IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
Non-RFC Compliant Characters: NONE
rpc_decode arguments:
Ports to decode RPC on: 111 32771
alert_fragments: INACTIVE
alert_large_fragments: ACTIVE
alert_incomplete: ACTIVE
alert_multiple_requests: ACTIVE
telnet_decode arguments:
Ports to decode telnet on: 21 23 25 119
Portscan Detection Config:
Detect Protocols: TCP UDP ICMP IP
Detect Scan Type: portscan portsweep
decoy_portscan distributed_portscan
Sensitivity Level: Low
Memcap (in bytes): 10000000
Number of Nodes: 36900
Using LOCAL time
alert_syslog output processor is defaulting to syslog
server on 127.0.0.1 port 5
14!
database: compiled support for ( mysql odbc mssql )
database: configured to use mssql
database: database name = snort
database: user = snort
database: password is set
database: host = localhost
database: port = 1433
database: sensor name =
TESTIDS:\Device\NPF_{068F010E-6C94-4163-9C52-15551BFD6
6A9}
database: SQL Server message 5701, state 2, severity
0:
Changed database context to 'snort'.
Server 'TESTIDS',
database: SQL Server message 5701, state 1, severity
0:
Changed database context to 'snort'.
Server 'TESTIDS', Line 1
database: sensor id = 1
database: inconsistent cid information for sid=1
Recovering by rolling forward the cid=45184
database: schema version = 106
database: using the "log" facility
database: compiled support for ( mysql odbc mssql )
database: configured to use mssql
database: database name = snort
database: user = snort
database: password is set
database: host = localhost
database: port = 1433
database: sensor name =
TESTIDS:\Device\NPF_{068F010E-6C94-4163-9C52-15551BFD6
6A9}
database: SQL Server message 5701, state 2, severity
0:
Changed database context to 'snort'.
Server 'TESTIDS',
database: SQL Server message 5701, state 1, severity
0:
Changed database context to 'snort'.
Server 'TESTIDS', Line 1
database: sensor id = 1
database: schema version = 106
database: using the "alert" facility
2111 Snort rules read...
2111 Option Chains linked into 191 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++
Warning: flowbits key 'http.jpeg' is checked but not
ever set.
Warning: flowbits key 'ms_sql_seen_dns' is checked but
not ever set.
Warning: flowbits key 'realplayer.playlist' is checked
but not ever set.
+-----------------------[thresholding-config]----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[thresholding-global]----------------------------------
| none
+-----------------------[thresholding-local]-----------------------------------
| gen-id=1 sig-id=3273 type=Threshold
tracking=src count=5 seconds=
2
| gen-id=1 sig-id=3542 type=Threshold
tracking=src count=5 seconds=
2
| gen-id=1 sig-id=3543 type=Threshold
tracking=src count=5 seconds=
2
| gen-id=1 sig-id=3527 type=Limit
tracking=dst count=5 seconds=
60
| gen-id=1 sig-id=2275 type=Threshold
tracking=dst count=5 seconds=
60
| gen-id=1 sig-id=3152 type=Threshold
tracking=src count=5 seconds=
2
| gen-id=1 sig-id=2523 type=Both
tracking=dst count=10 seconds=
10
+-----------------------[suppression]------------------------------------------
| gen-id=1 sig-id=466
tracking=dstip=0.0.0.0 mask=0.0.0.0
| gen-id=1 sig-id=1070
tracking=dstip=0.0.0.0 mask=0.0.0.0
| gen-id=1 sig-id=882
tracking=dstip=0.0.0.0 mask=0.0.0.0
| gen-id=119 sig-id=4
tracking=dstip=0.0.0.0 mask=0.0.0.0
| gen-id=122 sig-id=27
tracking=dstip=0.0.0.0 mask=0.0.0.0
| gen-id=122 sig-id=19
tracking=dstip=0.0.0.0 mask=0.0.0.0
+------------------------------------------------------------------------------
Rule application order:
->activation->dynamic->alert->pass->log
Log directory = d:\win-ids\snort\log
--== Initialization Complete ==--
,,_ -*> Snort! <*-
o" )~ Version
2.3.0-ODBC-MySQL-MSSQL-FlexRESP-WIN32 (Build 10)
'''' By Martin Roesch & The Snort Team:
http://www.snort.org/team.html
(C) Copyright 1998-2004 Sourcefire Inc., et
al.
===============================================================================
Snort received 14747 packets
Analyzed: 6016(40.795%)
Dropped: 8731(59.205%)
===============================================================================
Breakdown by protocol:
TCP: 5955 (40.381%)
UDP: 52 (0.353%)
ICMP: 0 (0.000%)
ARP: 0 (0.000%)
EAPOL: 0 (0.000%)
IPv6: 0 (0.000%)
IPX: 0 (0.000%)
OTHER: 6 (0.041%)
DISCARD: 0 (0.000%)
===============================================================================
Action Stats:
ALERTS: 0
LOGGED: 0
PASSED: 0
===============================================================================
TCP Stream Reassembly Stats:
TCP Packets Used: 5955 (40.381%)
Stream Trackers: 403
Stream flushes: 223
Segments used: 453
Stream4 Memory Faults: 0
===============================================================================
Final Flow Statistics
,----[ FLOWCACHE STATS ]----------
Memcap: 10485760 Overhead Bytes 16400
used(%0.760622)/blocks (79757/432) Overhea
d blocks: 1 Could Hold: (71331)
IPV4 count: 431 frees: 0 low_time: 1130348993,
high_time: 1130349005, diff: 0h:0
0:12s
finds: 6516 reversed: 0(%0.000000)
find_sucess: 2341271307 find_fail: 1078269480
percent_success: (%0.000000) n
ew_flows: 439
Protocol: 6 (%99.125230) finds: 6459 reversed:
0(%0.000000)
find_sucess: 3354050943 find_fail: 1078272036
percent_success: (%0.000000) new
_flows: 420
Protocol: 17 (%0.828729) finds: 54 reversed:
0(%0.000000)
find_sucess: 636291451 find_fail: 1078040500
percent_success: (%0.000000) new_
flows: 17
Protocol: 88 (%0.046041) finds: 3 reversed:
0(%0.000000)
find_sucess: 0 find_fail: 0 percent_success:
(%0.000000) new_flows: 2
database: Closing connection to database ""
database: Closing connection to database ""
Snort exiting
Thank you,
Peter
__________________________________
Yahoo! FareChase: Search multiple travel sites in one click.
http://farechase.yahoo.com
-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.
Get Certified Today * Register for a JBoss Training Course
Free Certification Exam for All Training Attendees Through End of 2005
Visit http://www.jboss.com/services/certification for more information
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Is this possible answer to the problem? Peter Rodger (Oct 26)